6

A new user is created by an admin. They need to reset their initial password on first login. We have the Cognito app client configured to only allow custom authentication flow (CUSTOM_AUTH_FLOW_ONLY). But when the user resets their password, the auth flow ends and they get the id-, access- and refresh-token immediately, none of the custom challenges are issued.

  • How can I steer the flow to continue with my custom challenge flow, instead of issuing the tokens?
  • It would also work if the tokens would not be sent in the response, after they reset their initial password, so that the user has to log in again.

A new user currently runs through this flow:

  1. At the moment, for a new user, we send InitiateAuthRequest with username and SRP_A, AuthFlow set to CUSTOM_AUTH, as a normal login would do.
  2. Our DefineAuthChallengeLambda is hit, issuing the PASSWORD_VERIFIER challenge.
  3. The client responds to the auth challenge with the srp claims, username and timestamp.
  4. Cognito verifies the response and sees, that the user must change their password. Our lambda triggers are skipped and the NEW_PASSWORD_REQUIRED challenge is returned by Cognito.
  5. The client responds to the auth challenge with a new password, Cognito accepts the password and issues the tokens, which is not what we want.

We either want for the flow to end here and not issue any tokens, or to not end here and continue with a define auth challenge trigger call.

Sven Möhring
  • 770
  • 13
  • 22

1 Answers1

7

So I contacted the AWS Support and got the following answer:

As I mentioned, we've been engaging with the team and it looks like you've identified an issue with using Custom_Auth as well as an issue with using Custom_Auth and Password_Verifier/New_Password_Required challenges. It looks like changing Custom_auth to or from SRP_A and using the New password required challenge does not work at this moment. We managed to replicate this fully with the Cognito Service team and they've confirmed this is a bit broken and we don't have support for these challenges with Custom auth. They agreed however we should support them at base and we've identified this as a feature request with the team and they've placed it on the prioritised list. Unfortunately I can't give a definitive time-frame for this to be implemented fully.

TL;DR: Custom auth flow with password verification isn't supported fully at the moment. Password reset-challenges break the flow.

For us, we use a workaround: In the PreTokenGeneration lambda trigger, we check if the current auth flow comes from a password reset event. If this is the case, we just throw an exception and no tokens are issued. The exception message is returned to the client, so by checking the message content of the exception, you can see what exact error has occurred. If you see that the tokens were not generated because of password reset, just tell the user: "Password successfully reset" and redirect them to the login page again. From there they can log in normally, going through the whole custom auth flow.

Sadly, no feedback can be given, when the feature is available. Apparently most new features are announced here, so I'll be keeping an eye out for that.

Sven Möhring
  • 770
  • 13
  • 22
  • 4
    Cognito does have a ton of bugs. I do hope they take their roadmaps seriously. – Arka Mukherjee Apr 24 '19 at 10:33
  • Any word on if this was ever resolved? We're running into this bug ourselves and trying to decide if we want to go down the workaround path or see if we've just set something up wrong. – jaredready Jan 15 '20 at 19:31
  • @jready Still no news on it. I'm checking the posted link daily but sadly nothing has come up. – Sven Möhring Feb 08 '20 at 11:11
  • @SvenMöhring Any update on this? Could you provide an example of your PreTokenGeneration lambda function and how you know it's coming from the password reset event? – rplankenhorn May 04 '21 at 14:56
  • @rplankenhorn Sorry, but I don't have access to the code, as I got a new job. I think I remember that you could get the previous challenges from a context that is provided as an input parameter to the PreTokenGeneration trigger and if you discover a password reset challenge in there, you just throw and the flow is aborted. Sorry that I can't be of any more help. – Sven Möhring May 05 '21 at 18:18
  • @SvenMöhring thanks for discovering this issue and raising it with the AWS cognito team. Was there ever a Github issue raised for this? If not I'm happy to raise an issue in AWS-amplify – hikarunoryoma Aug 08 '22 at 16:25
  • @hikarunoryoma I never checked and I didn't open one. Feel free to open one though, as I've moved on from AWS in the meantime, changing jobs. – Sven Möhring Aug 09 '22 at 18:59